Darknet diving – conducting OSINT on .onion sites

  • by

DISCLAIMER: This article is based purely on open source, public knowledge and does not contain any law enforcement OSINT techniques or materials.

The Dark Web is this uncharted, chaotic conglomerate of sites, with content varying from extreme freedom of speech to extreme criminality.

It is full of weird, uncensored and sometimes even harmful stuff that in many cases nobody would want to host on their clearnet server.

In order to access any .onion site, you need a TOR browser. If you aren’t familiar with TOR, read this article:

The Onion Router (TOR) – the truths and myths of anonymity

The common problem of our digital landscape nowadays is not the lack of data – it’s the abundance of it and the fact that there is so much information noise out there.

As difficult as you might think finding valuable content is on the clearnet, the dark web is far worse. The .onion sites often just go down for prolonged periods of time or entirely disappear. 

And you can forget about doing a “who is” query on the site owner if you want to contact them…

TOR Search Engines

It can be very hard to manually search for any content on the dark web, especially given the nature of .onion URL addresses.

Luckily, there are some resources that can help. These won’t be as accurate or reliable as Google, but will return at least some hits on items of interest.

duckduckgo.com – available both in the clearnet and the darknet, this is the default search engine of the TOR browser and arguably the most popular one for .onion websites.

The TOR link:

https://3g2upl4pq6kufc4m.onion/

ahmia.fi – a clearnet search engine that indexes, searches and catalogues any content published on Tor Hidden Services. It is important to point out that Ahmia will not return matches for abusive content like child abuse materials. It also keeps a blacklist of abusive services and users can report any offending sites directly from the search engine interface.

darksearch.io – it will work in the normal clearnet browser for searching TOR URLs, but it will warn you of “limited anonymity”. Arguably, one of the upcoming, very popular search engines. It offers a free API for automated search queries and boasts other things that make it “different” from its competitors. You can read more about DarkSearch on Medium.

Torch – a very popular dark web only search engine. It’s probably the oldest search engine that I can remember for TOR sites. The number of onion pages indexed and available constantly changes, but the figure is rumoured to be in the millions.

The TOR link: https://xmh57jrzrnw6insl.onion.to/

Not Evil – an obvious play on words here, reusing the Google’s abandoned “Don’t be evil” motto. Not Evil does not tolerate illegal content and has a community-based mechanism for reporting and removing offending sites from the index.

The TOR link: https://hss3uro2hsxfogfq.onion.sh/

hidden wiki Osint Me

Where to start on the Dark Web?

Traditionally, nearly every excursion into the dark web started with the Hidden Wiki.

It’s a clearnet resource with some links to .onion sites. But at this stage it’s very outdated – at the time of writing this article, the most recently updated content on the Hidden Wiki dates back to May 2017.

While some of the content is still accessible, I think the Hidden Wiki has lost its appeal and standing in the TOR community.

Time to look for alternatives.

The Dark Web Links – a site that, nomen omen, does what it says on the box. It contains recent links to various sites, from marketplaces selling illegal goods to adult pornography and Bitcoin mixers used for money laundering.

Deep Web Site Links – another clearnet repository of dark web links. A wild variety of resources, from markets to hackers or hitmen for hire (the latter ones are scams!)

Deep Web Links – another generic-named site with .onion links, segregated into Level 1 and Level 2 sites (go figure what that means).

TorLinks – advertised as a moderated replacement for The Hidden Wiki. No clearnet version available.

The TOR link:

http://torlinkbgs6aabns.onion/

Onion link list – a slightly chaotic repository that comes with a sobering warning from the author:

“I’m not responsible for any content of websites linked here. 99% of darkweb sites selling anything are scams. Be careful and use your brain. Every day I get 2-5 E-Mails from people that were desperate to make money and fell for scammers, don’t be one of them!”

The TOR link:

http://donionsixbjtiohce24abfgsffo2l4tk26qx464zylumgejukfq2vead.onion/

Conducting an OSINT investigation

All will depend on who your OSINT target is. For instance, if it’s a dark market vendor, the first step is to gather intelligence on the account.

Every account anywhere has some unique characteristics and dark market vendors are no different. After all, they run a business (albeit an illegal one) and brand reputation along with customer satisfaction are important elements of their trade.

When creating an intelligence profile of a target dark market vendor account, you should take note of the following:

  • nickname
  • date of account creation / vendor since date
  • last login (for trying to map out an activity pattern)
  • PGP public key
  • type of merchandise offered
  • methods of contact (Telegram, Jabber, Whatsapp, etc.)

There are many vendors who operate on various markets with the same details across all sites. Some are also active on discussion forums where they exchange views and experiences on operational security and analyse any recent law enforcement operations and arrests.

When profiling, you should also take heed of metadata associated with these profiles. Some of this info is not obvious and includes two important approaches to written content from which metadata can be derived from:

  • stylometry – study of a linguistic style of written texts. Certain phrases, slang terms and colloquialisms are associated with specific geographic locations and rarely occur elsewhere;
  • forensic stylistics – used for analysis of content, meaning and the general writing style, including use of punctuation. The infamous “Unabomber Manifesto” was successfully attributed to Theodore Kaczynski as result of comparing unique phrases and lexical items contained within to other writings of the suspect.

 

Some OSINT investigations that will lead you to the dark web won’t start there. 

Last year an online investigation carried out by independent researchers discovered Twitter accounts associated with ISIS jihadist crowdfunding efforts.

The Islamist terrorists were using Bitcoin to raise funds for their campaign against the Asad regime in Syria (and no doubt for terrorist attacks elsewhere).

Bitcoin addresses associated with the jihadists were no doubt quickly scraped up by OSINT researchers, law enforcement and intelligence agencies.

Many people obviously still don’t understand that Bitcoin is not anonymous, it’s pseudo-anonymous. Bitcoin transactions can be traced effectively by government agencies who use blockchain analytics software. Any Bitcoin attributed to these addresses can be labelled as “tainted” and effectively blacklisted by any compliant online exchanges. This would make the cashing out options available to the jihadists very limited.

It turned out that the SadaqaCoins project, as the crowdfunding initiative was known on social media, had its own dark web domain at the following address (now defunct):

http://sadaqabmnor4ufnj.onion

Donations were accepted in other digital currencies – Monero and Ethereum:

In an interesting turn of events however, the main Bitcoin address associated with SadaqaCoins:

3422VtS7UtCvXYxoXMVp6eZupR252z85oC

was subsequently labelled as “scam” on bitcoinwhoswho.com:

When we apply a dose of scepticism to the whole story, it is plausible to suspect that the Bitcoin fundraiser, and maybe even the darknet website, were part of an elaborate scam to siphon money out of jihadist supporters.

Conclusions

During my OSINT investigations in the dark web I have encountered many types of content – from “fairtrade cocaine” (no such thing), a “cannibal cookbook” (likely a joke) to “hitmen for hire” (scam).

Scam is something that is frequently encountered on the dark web. As OSINT researchers we need to always assume the probability that what we are investigating is fake content.

I want this caveat to be an important part of this article – as exciting as OSINT in the dark web appears, and sometimes it is, when it comes to vendors and marketplaces the majority of purchasable content is a scam.

Whether one decides to buy drugs, weapons, stolen electronics or digital goods, there is always a chance that after sending the Bitcoin no merchandise will arrive. Ever.

Some of the well established dark market vendors and entire marketplaces are known to have closed down in what is known as “exit scam” scenario, where the whole platform disappears of a server, along with any digital currencies held in the associated wallets.

To conclude, I would like to introduce you to one of my favourite darknet websites:

http://politiepcvh42eav.onion/

It belongs to the Dutch Police and I have to say they have one of the best trained, best resourced and the most active cyber crime units in the world.

(yeah I am a fanboy, I know…)

Leave a Reply

Your email address will not be published.